8.8 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Adjacent (A)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Adjacent (A)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
Cline: Cross-Origin WebSocket Hijacking in Cline Hub Dashboard (`/browser` endpoint)
Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. Prior to 3.0.30, the Cline Hub dashboard server launched by the cline dashboard command accepts WebSocket connections on the /browser endpoint without validating the Origin header, and when ROOM_SECRET is unset for local 127.0.0.1 binds, isAuthorizedBrowserRequest() allows attacker-controlled websites to send desktopCommand frames that read workspace state, mutate MCP and provider settings, and trigger command execution when a provider or model is configured. This issue is fixed in version 3.0.30.
References
-
https://github.com/cline/cline/security/advisories/GHSA-3cj3-hqcr-g934 x_refsource_CONFIRM
-
https://github.com/cline/cline/pull/11724 x_refsource_MISC
-
https://github.com/cline/cline/releases/tag/cli-v3.0.30 x_refsource_MISC
Affected products
- ==< 3.0.30
Matching in nixpkgs
pkgs.execline
Small scripting language, to be used in place of a shell in non-interactive scripts
pkgs.execline-man-pages
Port of the documentation for the execline suite to mdoc
pkgs.haskellPackages.isocline
A portable alternative to GNU Readline
pkgs.skawarePackages.execline
Small scripting language, to be used in place of a shell in non-interactive scripts
pkgs.python313Packages.recline
This library helps you quickly implement an interactive command-based application
pkgs.python314Packages.recline
This library helps you quickly implement an interactive command-based application
Package maintainers
-
@Profpatsch Profpatsch <mail@profpatsch.de>
-
@alyssais Alyssa Ross <hi@alyssa.is>
-
@pmahoney Patrick Mahoney <pat@polycrystal.org>
-
@sternenseemann Lukas Epple <sternenseemann@systemli.org>